From baf2e34523afb81aa06eee6f6cec9b538a5cb37d Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Mon, 1 Dec 2014 19:50:45 +0000 Subject: [PATCH] openvpn: update to 2.3.6, fixes CVE-2014-8104 Signed-off-by: Felix Fietkau Backport of r43482 SVN-Revision: 43483 --- package/network/services/openvpn/Makefile | 4 +- .../openvpn/patches/100-polarssl_compat.h | 67 ++++++++++++------- 2 files changed, 46 insertions(+), 25 deletions(-) diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 1e0c7faf29..c146f9ec0d 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.3.4 +PKG_VERSION:=2.3.6 PKG_RELEASE:=1 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_MD5SUM:=04d47237907faabe9d046970ffe44b2e +PKG_MD5SUM:=6ca03fe0fd093e0d01601abee808835c PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/package/network/services/openvpn/patches/100-polarssl_compat.h b/package/network/services/openvpn/patches/100-polarssl_compat.h index 86e7ec6a94..4def9670f0 100644 --- a/package/network/services/openvpn/patches/100-polarssl_compat.h +++ b/package/network/services/openvpn/patches/100-polarssl_compat.h @@ -11,7 +11,7 @@ struct _buffer_entry { --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c -@@ -45,7 +45,7 @@ +@@ -46,7 +46,7 @@ #include "manage.h" #include "ssl_common.h" @@ -20,12 +20,13 @@ #include #include "ssl_verify_polarssl.h" -@@ -209,12 +209,12 @@ tls_ctx_load_dh_params (struct tls_root_ +@@ -212,13 +212,13 @@ tls_ctx_load_dh_params (struct tls_root_ { - if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline) + if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline) { -- if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline))) -+ if (0 != dhm_parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline))) +- if (0 != x509parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline, ++ if (0 != dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline, + strlen(dh_inline))) msg (M_FATAL, "Cannot read inline DH parameters"); } else @@ -35,13 +36,13 @@ msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file); } -@@ -249,13 +249,13 @@ tls_ctx_load_cert_file (struct tls_root_ +@@ -253,13 +253,13 @@ tls_ctx_load_cert_file (struct tls_root_ - if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_file_inline) + if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline) { -- if (0 != x509parse_crt(ctx->crt_chain, cert_file_inline, -+ if (0 != x509_crt_parse(ctx->crt_chain, cert_file_inline, - strlen(cert_file_inline))) +- if (0 != x509parse_crt(ctx->crt_chain, ++ if (0 != x509_crt_parse(ctx->crt_chain, + (const unsigned char *) cert_inline, strlen(cert_inline))) msg (M_FATAL, "Cannot load inline certificate file"); } else @@ -51,12 +52,31 @@ msg (M_FATAL, "Cannot load certificate file %s", cert_file); } } -@@ -476,13 +476,13 @@ void tls_ctx_load_ca (struct tls_root_ct +@@ -277,7 +277,7 @@ tls_ctx_load_priv_file (struct tls_root_ + status = x509parse_key(ctx->priv_key, + (const unsigned char *) priv_key_inline, strlen(priv_key_inline), + NULL, 0); +- if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status) ++ if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status) + { + char passbuf[512] = {0}; + pem_password_callback(passbuf, 512, 0, NULL); +@@ -289,7 +289,7 @@ tls_ctx_load_priv_file (struct tls_root_ + else + { + status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL); +- if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status) ++ if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status) + { + char passbuf[512] = {0}; + pem_password_callback(passbuf, 512, 0, NULL); +@@ -480,14 +480,14 @@ void tls_ctx_load_ca (struct tls_root_ct - if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_file_inline) + if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_inline) { -- if (0 != x509parse_crt(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline))) -+ if (0 != x509_crt_parse(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline))) +- if (0 != x509parse_crt(ctx->ca_chain, (const unsigned char *) ca_inline, ++ if (0 != x509_crt_parse(ctx->ca_chain, (const unsigned char *) ca_inline, + strlen(ca_inline))) msg (M_FATAL, "Cannot load inline CA certificates"); } else @@ -67,13 +87,14 @@ msg (M_FATAL, "Cannot load CA certificate file %s", ca_file); } } -@@ -496,13 +496,13 @@ tls_ctx_load_extra_certs (struct tls_roo +@@ -501,14 +501,14 @@ tls_ctx_load_extra_certs (struct tls_roo - if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline) + if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline) { -- if (0 != x509parse_crt(ctx->crt_chain, extra_certs_file_inline, -+ if (0 != x509_crt_parse(ctx->crt_chain, extra_certs_file_inline, - strlen(extra_certs_file_inline))) +- if (0 != x509parse_crt(ctx->crt_chain, ++ if (0 != x509_crt_parse(ctx->crt_chain, + (const unsigned char *) extra_certs_inline, + strlen(extra_certs_inline))) msg (M_FATAL, "Cannot load inline extra-certs file"); } else @@ -83,7 +104,7 @@ msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file); } } -@@ -684,7 +684,7 @@ void key_state_ssl_init(struct key_state +@@ -724,7 +724,7 @@ void key_state_ssl_init(struct key_state external_key_len ); else #endif @@ -92,7 +113,7 @@ /* Initialise SSL verification */ #if P2MP_SERVER -@@ -1026,7 +1026,7 @@ print_details (struct key_state_ssl * ks +@@ -1068,7 +1068,7 @@ print_details (struct key_state_ssl * ks cert = ssl_get_peer_cert(ks_ssl->ctx); if (cert != NULL) { @@ -103,7 +124,7 @@ msg (D_HANDSHAKE, "%s%s", s1, s2); --- a/src/openvpn/crypto_polarssl.c +++ b/src/openvpn/crypto_polarssl.c -@@ -466,7 +466,12 @@ int cipher_ctx_mode (const cipher_contex +@@ -487,7 +487,12 @@ cipher_ctx_get_cipher_kt (const cipher_c int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf) { @@ -218,7 +239,7 @@ { --- a/configure.ac +++ b/configure.ac -@@ -809,13 +809,13 @@ if test "${with_crypto_library}" = "pola +@@ -819,13 +819,13 @@ if test "${with_crypto_library}" = "pola #include ]], [[ -- 2.30.2